Would a brain wallet based on a password hashing algorithm be secure?

[LoyceV]

The issue is with how easy it is to forget these things. I've spoken about this before in various thread on here, but there a million and one things that can happen to anybody without warning which can result in significant and not fully reversible memory problems.

It's been more than a year since I last saw my paper wallets. They must be somewhere in the house, but after searching everywhere, I didn't find them. I've given up searching, hoping we'll find them if we ever move out.
Strange enough I can remember most passwords for a very long time.

[odolvlobo]

Sorry for using the word "hash" when I should have written "password key derivation function".

I was hoping for something more than "brain wallets are bad". Any sig campaign spammer can write that.

A brain wallet created using a good password key derivation function must be better than one created using SHA-256. How secure is it? If password key derivation functions are not good enough for brain wallets, are they good enough for passwords?

[Carlton Banks]

If you are going to use a brainwallet, I would suggest having a paper backup somewhere.

as LoyceV points out, what happens if you forget where you put the paper backup? Maybe you could surreptitiously visit the hiding place every day? And maybe people observing you doing that would notice and surmise that your hiding spot could be nearby. It's all a trade-off.

You could tell someone in your family, but you'd have to trust each other alot (presumably you'd remember their seed and vice versa). Families frequently argue over money, all the more so if it's alot of money.

[DannyHamilton]

If password key derivation functions are not good enough for brain wallets, are they good enough for passwords?

No.  If the user chooses a weak password, then no derivation function is good enough.

On the other hand, if the user chooses an adequately strong password, then ANY derivation function is good enough.

[Dabs]

This doesn't work for everyone, but I have never lost my physical wallet, the one where I keep cash and cards and stuff. It's possible it can get stolen. Do you guys not have a safe place at home where you keep important documents such as school records, medical, birth, marriage, death certificates?

You don't need an expensive 10 hour rated waterproof and fire-resistant safe (although that is nice to have, might be worth it if your brainwallet stores a thousand coins.) You can get a relatively cheap combination lock safe with a backup key, bolt it inside a small closet in the middle of your house, and that's where you store your paper wallet backup.

Or you can do it John Wick style and pour cement over a hole in your basement.

I have a small filing cabinet, that's what I use.

Warp Wallet uses PBKDF2 and scrypt. It takes several seconds to spit out a private key, but it's not updated to use either compressed keys or segwit addresses. You could use what it spits out as another input to make either a single segwit address or as entropy for some BIP32/39 extended private key for plenty of addresses.

Example:

1. Use Warp Wallet, type in your 12+ character randomly generated password, get private key.
2. Use bitaddress, paste private key, view details, get private key in hexadecimal format.
3. Use bip39 tool, show entropy details, paste hexadecimal.
4. Choose your preferred derivation path for Legacy, Nested Segwit or Native Segwit addresses.

Do it three times for practice and to make sure you get the same set of bip39 words and addresses, maybe test sending to the first one with a small amount and spend from it too.

Save the three pages in a file somewhere, zip it, rar it, upload it to your own website, as even if it's on github, these things can disappear.


Ohhhh, I found another one:

https://www.nowallet.org/

NOWALLET

A Secure, private, and plausibly deniable
Cross-platform Bitcoin brainwallet

Still in beta at this time though one can experiment, they have instructions for Linux.

*edit* I found this https://github.com/Logicwax/PortalWallet

Still not updated to include segwit though, but I'm sure someone else can fork this or fork the original warpwallet and add support for yprivs and zprivs.

[Voland.V]

Yeah learning a nmonic phrase seems like it'll be a hard thing to learn but it actually isn't that difficult. I remmebe thinking it was hard but I kept restoring my wallet and started to learn it from memory.


Best things to do:
every so often, maybe once a day for 2 weeks, boot up electrum (potentially on something like true key os that's fully disconnected from the Internet) and type up your key there (maybe do it twice or three times a day).
If youre trying to learn it, focus on words that are similar and words that are different for example I have a seed with an oxymoron which produces a bit of a weird concept.

Try to visualise stuff (but don't force it). If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water. If you try learning it the first way alone, sometimes the order can be messed up when you recite it which is easy to fix but avoidable.

You'd be writing down data from your brain wallet anyway so I don't think there'd be much of a problem there.

-----------------
I am not a specialist in the physiology of the human brain, but I understand that it is not yet possible to solve the problem of storing, generating and using a complex and long password, definitely for everyone, and not just for the mentally developed. Passwords and keys are the weakest point of any cryptographic security system. It is for these data that crackers are hunting. It seems that the development of technology on the one hand does not at all mean the development of security for the user on the other. Probably need new approaches. Check out my thread: https://bitcointalk.org/index.php?topic=5204368.new#new

If there are doubts and questions, I will answer in this place.

[Cathedralgotix]

The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:

... "To the moon!!! ┗(°0°)┛ ..○" -> https://www.blockchain.com/btc/address/18vqVNQi9fobKZcJWCjZNoDzBxronENfZr

The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:

• They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
• They require much more memory, which limits the parallelization.
• They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?

Why limit yourself to one hash function???

You could switch between different hash functions in the same algorithm.

Something like this

Code:

for i in range (10000):
	if   int(str[-1:], 16) == 0: hash = hashlib.sha256(str.encode()) 
	elif int(str[-1:], 16) == 1: hash = hashlib.sha3_256(str.encode()) 
	elif int(str[-1:], 16) == 2: hash = hashlib.blake2s256(str.encode())
	elif int(str[-1:], 16) == 3: hash = hashlib.sha512(str.encode())
	# and so on ...
	
	str = hash.hexdigest()

The hashing function for the next hash depends on the result of the previous hash

This prevents the prehashed tables attacks against your brain wallet

The algorithm is now part of the entropy of the passphrase and if you keep it secret you can use easier to remember seeds to feed the algo

[Voland.V]

The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:

... "To the moon!!! ┗(°0°)┛ ..○" -> https://www.blockchain.com/btc/address/18vqVNQi9fobKZcJWCjZNoDzBxronENfZr

The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:

• They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
• They require much more memory, which limits the parallelization.
• They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?

Why limit yourself to one hash function???

You could switch between different hash functions in the same algorithm.

Something like this

Code:

for i in range (10000):
	if   int(str[-1:], 16) == 0: hash = hashlib.sha256(str.encode()) 
	elif int(str[-1:], 16) == 1: hash = hashlib.sha3_256(str.encode()) 
	elif int(str[-1:], 16) == 2: hash = hashlib.blake2s256(str.encode())
	elif int(str[-1:], 16) == 3: hash = hashlib.sha512(str.encode())
	# and so on ...
	
	str = hash.hexdigest()

The hashing function for the next hash depends on the result of the previous hash

This prevents the prehashed tables attacks against your brain wallet

The algorithm is now part of the entropy of the passphrase and if you keep it secret you can use easier to remember seeds to feed the algo

-------------------------
If you need to keep the key secret, then first of all you need to be afraid of an attack on your device, and not on cryptographic tools.

All tips for using different hash functions are correct. It is worth listening to them. But you need to do this on a computer that is not connected to the Internet and from the lows of installed auxiliary and unverified programs.

And that's why:
10:00 / December 5, 2019
Lazarus macOS malware
Malware is a new round in the development of tactics used by Lazarus to invisibly infect Macs.

The Lazarus ATP group, often linked by experts to the DPRK government, has been armed with new macOS hacking techniques.

K7 Computing Security Analyst Dinesh Devadoss discovered the first malware in the Lazarus arsenal to run in Mac memory. Such file-free programs work exclusively in the computer’s RAM, which allows them to successfully bypass anti-virus solutions that look for malicious files on hard drives.

A malware sample discovered by Devadoss this week was examined by security guru Patrick Wardle. According to him, malware is a new round in the development of tactics used by Lazarus to quietly infect computers.

Check this information at the links:

https://mobile.twitter.com/dineshdina04/status/1201834142704394242

https://objective-see.com/blog/blog_0x51.html

As in other Lazarus malicious operations (in particular, in AppleJeus operation), a new attack begins with the victim installing malware disguised as a legitimate cryptocurrency trading application.

But are they all telling us that they are being used against us?
So it goes.